Comcast IPV6 with local DHCPV6 server???

  • Comcast has deployed IPV6 in my area, and using PfSense with the 'Track Interface' LAN IPV6 configuration type everything works fine. Problem is that I need better control of assigned IPV6 addresses to my clients so that I can implement fine grained/per client group traffic limiters.

    I am able to assign a local static IPV6 address to the LAN interface, then configure the local DHCPV6 server to assign static IPV6 address to my clients, but after doing so, I loose IPV6 connectivity to the WAN. IPV6 DNS resolution works fine, but nothing else!

    Pinging [2607:f8b0:4002:802::1012] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 2607:f8b1:4001::1:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    Is there any way to get PfSense do something similar to IPV4 NAT in order to bridge the internal IPV6 subnet to the WAN side IP address. I realize this defeats the whole purpose of IPV6, but I need some way to get each client on a predictable IPV6 address (at least the part of the address within the subnet).

  • That is not going to work in principle, because the static IPv6 subnet that you make is not likely to match the subnet/s delegated from your ISP from time to time. The DNS would work because the DNS requests go to pfSense, and it uses its real WAN IPv6 to do the name resolution and then gives back the answers.
    So, how is this supposed to work in principle? I would have thought:
    a) IPv6 DHCP (or whatever) on WAN - a prefic (/48 /56 /60 or /64 or whatever) is delegated from the ISP
    b) LAN is set to track interface WAN - the LAN now has 1 of the /64 subnets delegated (e.g. by default the 1st one)
    c) Use DHCPv6 Server to specify just the host part of the IPv6 address (the network part, 1st 64 bits, comes from the ISP and can change from time to time) - e.g. make your server ::1, a printer ::2, general DHCP range :1:0:0 to 1:ff:ff - whatever you want.
    d) In rules, specify the source address as "tracked network"::1 to match the server. (The actual public IPv6 address of the server changes every time the delegated prefix changes)

    In practice, steps © and (d) can't be done on the GUI. Or can they? Or is there some completely different way it should be done so that pfSense can put together a static-mapped IPv6 address for LAN clients and use it in firewall rules...?

  • C) Definitely can't be done via UI. It will not allow starting of DHCPV6 unless a static IPV6 is specified for the LAN interface.

    What I would need is some way to map a fixed /64 subnet to the variable /64 subnet assigned by Comcast… Don't think it's possible, unless I'm looking at this the wrong way?

Log in to reply